#!/bin/bash

# 检查nftables服务是否启用并运行
if systemctl is-enabled nftables &>/dev/null && systemctl is-active nftables &>/dev/null; then
    echo "[+] nftables服务已启用并运行。"
else
    echo "[-] nftables服务未启用或未运行。"
fi

# 检查默认策略是否为DROP
if nft list ruleset | grep -q "policy drop"; then
    echo "[+] 默认策略已配置为DROP。"
else
    echo "[-] 默认策略未配置为DROP。"
fi

# 检查loopback安全规则
if ! nft list ruleset | grep -Eq 'iif "?lo"? accept'; then
    echo "[-] 未配置允许lo接口流量"
    exit 1
fi

if ! nft list ruleset | grep -q 'ip daddr 127.0.0.0/8 iif != "lo" drop'; then
    echo "[-] 未配置禁止非lo接口的loopback流量"
    exit 1
fi

if ! nft list ruleset | grep -q 'ip6 daddr ::1 iif != "lo" drop'; then
    echo "[-] 未配置禁止非lo接口的IPv6 loopback流量"
    exit 1
fi

echo "[+] nftables已启用并正确配置，loopback安全规则已生效"
exit 0

